Title: Total Administrators Spam
Last modified: November 29, 2018

---

# Total Administrators Spam

 *  Resolved [jddevmo](https://wordpress.org/support/users/jddevmo/)
 * (@jddevmo)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/)
 * We are experiencing an issue where Ninjafirewall is sending a series of emails[
   NinjaFirewall] Alert: Database changes detected for administrator accounts. Within
   a few mins of each other we will receive multiple emails stating there are anywhere
   between 163 and 89 administrators and then a final email one that correctly states
   that there are only 12 administrators. Additionally, the email will list out 
   multiple duplicate accounts that are not administrators at all. Any thoughts 
   on what could be causing this issue?
 * Thanks in advance!

Viewing 15 replies - 1 through 15 (of 16 total)

1 [2](https://wordpress.org/support/topic/total-administrators-spam/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/total-administrators-spam/page/2/?output_format=md)

 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10933373)
 * That’s odd that it returned non-admin users, because it uses the WordPress API(
   get_users() function) to retrieve the list of admin users and it should be reliable.
   Did you have any database issues lately? Was there someone working on the DB 
   when it occurred?
    You can try this script: 1. Save this code to a script named
   whatever.php. 2. Upload it into the WP root folder, where your wp-config.php 
   script is located. 3. Go to [http://your-site/whatever.php](http://your-site/whatever.php)
   and check the results. Reload the page a few times to see if it returns the same
   results. Do you see anything wrong? 4. **Delete the script** afterwards.
 *     ```
       <?php
       header('Content-type: text/plain');
       require('wp-config.php');
       $adm_users = get_users(
          array( 'role' => 'administrator',
             'fields' => array(
                'ID', 'user_login', 'user_pass', 'user_nicename',
                'user_email', 'user_registered', 'display_name'
             )
          )
       );
       echo "Total admin users found: ". count( $adm_users ) ."\n\n";
       foreach( $adm_users as $adm ) {
          echo "Admin ID : {$adm->ID}\n";
          echo "-user_login : {$adm->user_login}\n";
          echo "-user_nicename : {$adm->user_nicename}\n";
          echo "-user_email : {$adm->user_email}\n";
          echo "-user_registered : {$adm->user_registered}\n";
          echo "-display_name : {$adm->display_name}\n\n";
       }
       exit;
       ```
   
 *  [jmdorst](https://wordpress.org/support/users/jmdorst/)
 * (@jmdorst)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10934807)
 * I have the same issue, but when I log in and look at my user list, everything
   looks fine.
 * And each time I get the spam, it’s coming from a different IP address.
    -  This reply was modified 7 years, 5 months ago by [jmdorst](https://wordpress.org/support/users/jmdorst/).
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10936435)
 * [@jmdorst](https://wordpress.org/support/users/jmdorst/) : Can you run the above
   script?
 *  [Mark](https://wordpress.org/support/users/marksda1/)
 * (@marksda1)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10938257)
 * I seem to be getting a variation of this. I received two alerts tonight like 
   this.
 * Alert: Database changes detected
 * The first one claimed there were 542 changed administrator accounts. It was one
   long blank list with the titles for the fields but no actual data.
 * The second alert showed just one account changed – my one and only admin account.
   I checked my user account and can find no changes but did change my password 
   to be on the safe side.
 * I looked at my SQL tables and it didn’t show any accounts other than the small
   handful that exist on my site. And I used the script above for extra measure.
   It also gave me one admin account, my own.
 * When I look at Ninjafirewall log it does show it blocked a visitor who was trying
   to enumerate authors.
 * HEAD /index.php – User enumeration scan (author archives) – [author=1]
    GET /
   index.php – User enumeration scan (author archives) – [author=1]
 * Several times over. No idea if there’s any connection.
 * The user IP listed in the email is mine which is the weird thing. I am logged
   in but before the alert I had not changed anything, password, etc. for my account.
   I was updating a widget in my sidebar.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10938336)
 * The user IP is from the person that triggered the alert, not the changes. It 
   is not important and can be unreliable. We will remove it in the next version
   because it is confusing.
 * Can you try to edit the “wp-content/plugins/ninjafirewall/ninjafirewall.php” 
   script?
    1. Open the file and search for `add_action('shutdown', 'nf_check_dbdata',
   1);`. 2. Replace it with `add_action('init', 'nf_check_dbdata', 1);`.
 * Then wait and see if you are still receiving false alerts.
 *  [jmdorst](https://wordpress.org/support/users/jmdorst/)
 * (@jmdorst)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10939291)
 * Ran the whatever script above. Received normal/expected results.
    Still getting
   paired notification as follows:
 * 1st one:
    [x] Total administrators (anywhere from 2 to 150+) Random IP address
   details then show blank entries… in the case of 2 I get Admin ID : -user_login:-
   user_nicename : -user_email : -user_registered : -display_name :
 * Admin ID :
    -user_login : -user_nicename : -user_email : -user_registered : -
   display_name :
 * 2nd notification
    I receive a correct number from my current IP address with 
   the information completed equal to what is received in the whatever.php results.
 * Ideas what is causing this odd occurrence?
 *  Thread Starter [jddevmo](https://wordpress.org/support/users/jddevmo/)
 * (@jddevmo)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10939498)
 * I also ran the whatever.php script and the correct admin accounts returned. I
   applied the change to the ninjafirewall.php file and will post back if the spam
   emails return.
 * Thanks
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10940325)
 * Let’s wait and see: if the change you applied to the ninjafirewall.php solve 
   the problem, it is likely a conflict with another plugin.
 *  [Mark](https://wordpress.org/support/users/marksda1/)
 * (@marksda1)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10948162)
 * Did the change to the plugin. I’ve continued to get the alerts but only just 
   now had time to check back and find out what the fix may be. I will report back
   whether or not the alerts stop.
 * The number has grown. I get two emails each time. One indicating my actual admin
   account has changed and another one telling me that thousands of admin accounts
   have changed but it’s just one blank entry after another. I’ve looked both ways
   and there just aren’t any other admin accounts besides mine.
 * Anyway, will report back.
 * PS To clarify, I was continuing to get the alerts and have now tried the fix.
   The way I worded that was not entirely clear. It’s late!
    -  This reply was modified 7 years, 5 months ago by [Mark](https://wordpress.org/support/users/marksda1/).
 *  [Mark](https://wordpress.org/support/users/marksda1/)
 * (@marksda1)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10951836)
 * So far, so good. First day I have not received those two messages warning me 
   about admin changes.
 * Knock on wood!
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10952070)
 * Do you have any caching plugin or a plugin to optimize your blog? Would you mind
   to list your active plugins?
 *  Thread Starter [jddevmo](https://wordpress.org/support/users/jddevmo/)
 * (@jddevmo)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10963013)
 * Hi, the issue remains. WPROCKET is the only optimization plugin we have on this
   website.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10964403)
 * I think it has to do with caching. Maybe object or DB caching. I’m still trying
   to find it out but it’s odd that the changes to the ninjafirewall.php script 
   didn’t work for you.
    If you have database caching enabled, could you try to 
   flush its cache?
 *  [burlingtonpress](https://wordpress.org/support/users/burlingtonpress/)
 * (@burlingtonpress)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10969899)
 * Just received this email on 1 of my sites:
 * NinjaFirewall has detected that one or more administrator accounts were modified
   in the database:
 * ****
    User IP: 34.233.208.215 Date: December 10, 2018 @ 07:02:18 (UTC -0500)
 * Total administrators : 522
    ****
 * Then this repeated 522 times:
 * ****
    Admin ID : -user_login : -user_nicename : -user_email : -user_registered:-
   display_name : ****
 * When I logged it, everything looked fine.
 *  [Mark](https://wordpress.org/support/users/marksda1/)
 * (@marksda1)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/total-administrators-spam/#post-10970000)
 * So far changing that one line of code has fixed this for me.
 * I am using a caching plugin – LiteSpeed Cache for WordPress
 * Those alerts were coming when I was active on my site. Every time I add a new
   post/page/etc. the cache is cleared. Connected to whatever was causing those 
   alerts maybe?
 * And above is exactly what I was getting. The last one claimed that over a thousand
   admin had modified accounts and there’s only one admin account.
 * Mark

Viewing 15 replies - 1 through 15 (of 16 total)

1 [2](https://wordpress.org/support/topic/total-administrators-spam/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/total-administrators-spam/page/2/?output_format=md)

The topic ‘Total Administrators Spam’ is closed to new replies.

 * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137)
 * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/)
 * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/)

## Tags

 * [administrator](https://wordpress.org/support/topic-tag/administrator/)

 * 16 replies
 * 5 participants
 * Last reply from: [jmdorst](https://wordpress.org/support/users/jmdorst/)
 * Last activity: [7 years, 4 months ago](https://wordpress.org/support/topic/total-administrators-spam/page/2/#post-11000468)
 * Status: resolved